Tranquil IT Forum

Hello.

I understand the principle of packet signature verification by agents, but one thing is missing from the documentation: how can I check with a CRL (or an OCSP service) if the signer has been revoked?

I have a CA dedicated to packet signing, which is deployed on the workstations. For each operator, I create a certificate signed by this CA. But if one of these private keys is compromised, I would like to be able to simply revoke the certificate in question, possibly re-sign the necessary packets with another signer, and let the agents update.

Should I concatenate the CRL with the CA?

The certificate URL must be included in the certificates during their generation (http).

The WAPT server will download the certificate CRLs from the WAPT packages when generating the Packages file (uploading a package).

The agent can then retrieve the CRLs available in the "ssl" folder located in the Packages file (zip).

sfonteneau wrote: ↑Dec 20, 2018 - 6:07 PM The URL of the certificate must be entered in the certificates when they are generated (http)

Absolutely, that's the case

sfonteneau wrote: ↑Dec 20, 2018 - 6:07 PM The wapt server will handle downloading the certificate references (CRLs) of the certificates present in the wapt packages when generating the Packages file (uploading a package)

Okay, there's nothing to configure? So, if I build and sign a package with a revoked certificate, it will be rejected when I try to upload it to the WAPT server? (I admit I haven't tested this yet ^^)

sfonteneau wrote: ↑Dec 20, 2018 - 6:07 PM The agent can retrieve the available CRLs from the "ssl" folder located in the Packages Files (zip)

Hmm, I don't quite understand. The goal is precisely to ensure that packets signed with a revoked certificate won't be accepted by the agents. If they're basing it on a CRL contained within the packet itself, it could very well be an old CRL (dating back to when the certificate hadn't yet been revoked). I must be missing something

dani wrote: Okay, there's nothing to configure? So, if I build and sign a package with a revoked certificate, it will be rejected when I try to upload it to the WAPT server?

It's mainly the WAPT agent that will reject the packet (and nothing can be done about it)

Dani wrote: Mmmmhhh, I don't quite understand. The goal is precisely to ensure that packets signed with a revoked certificate won't be accepted by the agents. If they're basing it on a CRL contained within the packet itself, it could very well be an old CRL (dating back to when the certificate hadn't yet been revoked). I must be missing something.

That's why your CRL has a limited validity period (normally). You need to regenerate your CRL regularly !

sfonteneau wrote: ↑Dec 20, 2018 - 10:34 PM

dani wrote: Okay, there's nothing to configure? So, if I build and sign a package with a revoked certificate, it will be rejected when I try to upload it to the WAPT server?

It's mainly the WAPT agent that will reject the packet (and nothing can be done about it)

Okay, I'll do some tests then, to better understand how it works, and I'll come back here if I have any more questions
Thanks for the info anyway